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Executive  Budget  System 

Governor's  Office  of  Budget  and  Program  Planning 

This  report  provides  information  r^arding  general  and  application 
controls  related  to  the  EBS  application.   It  contains  recommendations 
for  improving  controls  within  the  office's  electronic  data  processing 
environment.  These  recommendations  address: 

>■  Establishing  policies  and  procedures  for  internal  evaluations. 

*■  Improving  electronic  access  controls. 

»■  Establishing  formal  contingency  procedures. 

>■  Improving  documentation  of  the  system. 
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EDP  AUDITS 


Electronic  Data  Processing  (EDP)  audits  conducted  by  the  Legislative  Audit  Division  are  designed 
to  assess  controls  in  an  EDP  environment.  EDP  controls  provide  assurance  over  the  accuracy, 
reliability,  and  integrity  of  the  information  processed.  From  the  audit  work,  a  determination  is 
made  as  to  whether  controls  exist  and  are  operating  as  designed.  In  performing  the  audit  work, 
the  audit  staff  uses  audit  standards  set  forth  by  the  United  States  General  Accounting  Office. 

Members  of  the  EDP  audit  staff  hold  degrees  in  disciplines  appropriate  to  the  audit  process. 
Areas  of  expertise  include  business  and  public  administration. 

EDP  audits  are  performed  as  stand-alone  audits  of  EDP  controls  or  in  conjunction  with  financial- 
compliance  and/or  performance  audits  conducted  by  the  office.  These  audits  are  done  under  the 
oversight  of  the  Legislative  Audit  Committee  which  is  a  bicameral  and  bipartisan  standing 
committee  of  the  Montana  Legislature.  The  committee  consists  of  six  members  of  the  Senate  and 
six  members  of  the  House  of  Representatives. 


MEMBERS  OF  THE  LEGISLATIVE  AUDIT  COMMITTEE 

Senator  Greg  Jergeson, 

Vice  Chairman 

Representative  Ernest  Bergsagel,  Chairman 

Senator  Sue  Bartlett 

Representative  Beverly  Barnhart 

Senator  Reiny  Jabs 

Representative  A.  R.  "Toni"  Hagener 

Senator  Tom  Keating 

Representative  Bob  Keenan 

Senator  Ken  Miller 

Representative  Robert  Pavlovich 

Senator  Linda  Nelson 

Representative  Bruce  Simon 

Montana , 

Legislative  Legislative  Audit  Division 

UtanCn  ScouA.  Seacat,  Legislative  Auditor 


June  1996 


The  Legislative  Audit  Committee 
of  the  Montana  State  Legislature: 

This  is  a  report  on  our  EDP  audit  of  the  Governor's  Office  of  Budget  and  Program 
Planning's  internal  controls  relating  to  its  computer-based  Executive  Budget  System  (EBS). 
We  reviewed  the  office's  general  controls  as  they  relate  to  the  data  processed  on  the  state 
mainframe  computer  and  on  the  office's  local  area  network.   In  addition,  we  reviewed 
application  controls  over  the  EBS  application.   This  report  contains  recommendations  for 
improving  controls.   Our  recommendations  include  establishing  policies  and  procedures  for 
internal  evaluations,  improving  electronic  access  security,  improving  system  documentation, 
and  establishing  formal  contingency  procedures.    Written  responses  to  our  audit 
recommendations  are  included  in  the  back  of  the  audit  report. 

We  thank  the  office  personnel  for  their  cooperation  and  assistance  throughout  the 
audit. 

Respectfully  submitted. 


Scott  A.  Seacat 
Legislative  Auditor 
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Executive  Budget  System 

(Governor's  Office  of  Budget  and  Program  Planning 


Members  of  the  audit  staff  involved  in  this  audit  were  Dawn  Brewer  and 
Ken  Erdahl. 
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Introduction 


This  is  an  audit  of  internal  controls  relating  to  the  Governor's 
Office  of  Budget  and  Program  Planning's  (OBPP)  computer-based 
Executive  Budget  System  (EBS).   We  performed  an  electronic  data 
processing  audit  of  this  application.    We  selected  the  OBPP  and 
this  application  because  of  the  significant  dollar  amounts  that  are 
processed  and  the  statewide  use  of  the  information  maintained  on 
the  system. 


Background 


Our  audit  was  limited  to  one  of  the  Governor's  Office  programs, 
the  Office  of  Budget  and  Program  Planning  (16.25  FTE).   The 
OBPP  assists  the  governor  in  planning,  preparing,  and  administer- 
ing the  state  budget.   It  develops  and  evaluates  alternative  program 
plans  for  providing  state  government  services,  and  acts  as  the  lead 
executive  branch  agency  for  compliance  with  the  federal  Single 
Audit  Act. 


The  EBS  is  a  combination  mainframe  and  PC-based  application. 
The  OBPP  extracts  specific  expenditure  information  from  statewide 
accounting  and  payroll  systems,  using  mainframe  based  programs. 
The  data  are  then  copied  to  OBPP's  PC-based  network.   State 
agency  personnel  are  able  to  access  the  data  specific  to  their 
agency,  and  use  it  in  preparing  their  up-coming  budget  requests. 
After  changes  have  been  made  and  agreed  upon  by  OBPP,  the 
Legislative  Fiscal  Division,  and  agency  personnel,  the  data  is 
copied  back  to  the  mainframe  for  further  processing.   This  report 
contains  five  recommendations  to  OBPP  to  improve  controls 
associated  with  the  EBS  application. 


Policies  and  Procedures 


The  law  provides  guidance  regarding  security  which  should  be 
considered  by  agencies  in  establishing  policies  and  procedures. 
Section  2-15-114,  MCA,  requires  department  heads  to  be 
".  .  .responsible  for  assuring  an  adequate  level  of  security  for  all 
data  and  information  technology  resources  within  his 
department.  .  ." 


OBPP  has  not  conducted  an  analysis  to  identify  threats  to  the 
security  of  the  EBS  application,  and  has  no  documented  policies 
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regarding  the  use  of  office  computers.   The  office  should  perform  a 
security  analysis  to  identify  risks,  implement  procedures  to  mitigate 
those  risks,  and  perform  periodic  evaluations  of  security  in 
compliance  with  state  law.   In  addition,  formal  office  wide  policies 
should  be  developed  which  outline  employee  responsibilities  and 
office  standards  regarding  computer  usage. 


ContingeiM^  Planning 


Contingency  planning  is  a  basic  element  of  safeguarding  computer 
systems  and  information  resources.   Contingency  planning  involves 
collecting  plans,  procedures,  arrangements,  and  information  which 
are  completed,  compiled,  and  held  in  readiness  for  use  in  the  event 
of  a  disruption  of  normal  activities.   The  contingency  plan  should 
include  consideration  of  physical  facilities,  personnel,  operating 
instructions,  supplies  and  forms,  application  programs, 
documentation,  system  software,  and  data.   Through  interviews 
with  office  personnel,  we  determined  the  office  does  not  have  a 
formal  contingency  plan  as  required  by  section  1-0240.00,  MOM. 
A  written,  detailed  plan  outlining  recovery  procedures  should  exist 
and  be  tested  to  ensure  feasibility  of  the  plan. 


Access  Controls 


Proper  access  controls  assist  in  the  prevention  or  detection  of 
deliberate  or  accidental  errors  caused  by  improper  use  or 
manipulation  of  data  files,  unauthorized  or  incorrect  use  of  a 
computer  program,  or  improper  use  of  computer  resources. 
Assigning  limited  access  based  on  job  requirements  facilitates 
checks  and  balances  in  the  system.   Also,  passwords  known  only  to 
the  user  prevent  unauthorized  users  from  accessing  confidential 
information.   We  reviewed  mainfi-ame  and  PC  controls  over  the 
EBS  application,  and  noted  areas  where  access  controls  could  be 
improved. 


Access  to  the  EBS  files  and  programs,  level  of  access  requested, 
and  authorization  for  the  access  is  not  documented.   As  positions 
change,  or  turnover  occurs,  access  needs  may  change.   In  order  to 
ensure  access  is  proper  and  authorized,  the  people  needing  access, 
level  of  access  required,  and  time  periods  for  the  allowed  access 
should  be  documented. 
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Mainframe  software  provides  a  daily  report  of  logged  user  access 
to  EBS  programs  and  data  on  the  mainframe.    In  addition,  the 
office  receives  a  violation  report  which  lists  all  unauthorized  users 
who  attempted  to  access  electronic  files.   The  security  officer  does 
not  review  the  reports,  and  does  not  retain  the  reports  for  future 
reference.    Retention  of  the  reports  would  aid  in  the  internal 
security  review,  as  discussed  previously,  and  provide  a  means  of 
reference  should  problems  be  identified  relating  to  inappropriate 
access.   Also,  an  individual  outside  of  the  security  and  data 
processing  environment,  preferably  from  a  user  group,  should 
review  the  reports.   An  independent  review  provides  additional 
controls  over  access  violations,  and  programmer  activity,  and  also 
provides  a  control  over  changes  made  by  the  security  officer. 

Without  an  independent  review,  the  potential  exists  for  inappro- 
priate access  and  unauthorized  changes  to  data  and  programs.   The 
office  should  assign  another  person  to  review  the  ACF2  reports,  in 
addition  to  the  security  officer. 


Syston  Documentation 


We  reviewed  the  system  and  user  documentation  in  relation  to  the 
EBS  application.   We  determined  there  is  no  documentation  of  the 
present  system.   Programming  and  methodology  is  known  by  the 
system  programmer  and  assistant  director,  but  in  the  event  of  their 
absence  there  is  no  documentation  to  aid  in  the  operation  and 
maintenance  of  the  system.   With  the  planned  replacement  of  the 
present  EBS  with  a  new  system,  the  office  should  ensure  the  new 
system  is  completely  documented,  to  aid  in  maintenance  of  the 
system  and  to  ensure  continuity  of  operations  in  the  event  of 
employee  turnover.   Also,  adequate  documentation  for  the  newly 
created  system  could  make  the  transition  for  future  new  employees 
easier  and  more  efficient. 


System  Enhancements 


After  a  system  has  been  developed  and  tested,  it  is  critical  that  any 
changes  or  enhancements  to  the  software  be  controlled.   Otherwise, 
unauthorized  changes  could  be  made,  and  potentially  compromise 
the  integrity  of  the  system.    While  substantial  changes  would  likely 
be  detected,  either  by  OBPP,  LFD  or  agency  personnel,  the 
credibility  of  the  budget  process  could  be  questioned.   In  addition, 
less  obvious  changes,  such  as  smaller  dollar  amounts,  could  go 
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completely  undetected.   The  proposed  new  system  will  be  designed 
so  changes  can  be  made  quickly  and  easily.   This  makes  it  even 
more  critical  to  have  procedures  to  ensure  any  changes  are 
authorized  and  approved.   The  office  should  develop  policies  for 
the  new  system,  for  documentation,  approval,  and  testing  of 
changes. 


System  Edits  System  edits  are  a  tool  to  help  ensure  only  proper  data  is  input  to 

particular  fields.   For  instance,  data  input  can  be  limited  to 
numeric  only,  alpha  only,  date  only,  etc.,  which  would  prevent 
erroneous  information  from  being  input  to  the  field.   In  addition, 
input  ranges  can  be  set  to  prevent  input  of  information  beyond 
prescribed  limits.   Finally,  fields  can  be  write  protected  to  ensure 
only  authorized  individuals  make  changes  to  the  fields.   In  our 
review  of  the  present  system,  we  found  system  edits  are  very 
limited. 

With  the  proposed  new  system,  the  office  has  the  opportunity  to 
design  validity  edits  into  the  input  screens.   If  proper  edits  were  in 
place,  many  of  the  potential  input  errors  could  be  averted  at  the 
point  of  input,  and  reduce  the  time  for  correction  of  errors  at  a 
later  time.   Many  different  people  input  to  the  screens,  including 
personnel  from  outside  agencies.   The  office  should  determine  what 
fields  on  the  input  screens  can  be  protected  through  edits,  and 
ensure  the  edits  are  included  in  the  design  of  the  new  system. 
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Introduction 


This  is  an  audit  of  internal  controls  relating  to  the  Governor's 
Office  of  Budget  and  Program  Planning's  (OBPP)  computer-based 
Executive  Budget  System  (EBS).    We  performed  an  electronic  data 
processing  audit  of  this  application.    We  selected  the  OBPP  and 
this  application  because  of  the  significant  dollar  amounts  that  are 
processed  and  the  statewide  use  of  the  information  maintained  on 
the  system. 


EDP  General  and  Appli- 
cation Controls 


An  Electronic  Data  Processing  (EDP)  audit  consists  primarily  of  a 
review  of  internal  controls.   In  an  automated  environment  the 
procedures  for  reviewing  controls  are  different  from  those  used  in 
a  manual  environment.    However,  the  objective  of  ensuring  the 
reliability  of  controls  is  still  the  same.   This  audit  entails 
performing  a  general  and  an  application  control  review.   The  gen- 
eral control  review  of  the  EBS  consisted  of  an  examination  of  the 
following  controls: 

Organizational  -  structure  and  management  of  the  data  processing 
function.    Specific  types  of  organization  controls  include 
segregation  of  duties,  assignment  of  responsibilities,  rotation  of 
duties,  and  supervision. 

Procedural  -  operating  standards  and  procedures  which  ensure  the 
reliability  of  computer  processing  results  and  protect  against 
processing  errors. 

System  Development  -  oversight  and  supervisory  controls  imposed 
on  development  projects.   Controls  include  feasibility  studies, 
development,  testing  and  implementation,  documentation,  and 
maintenance. 

Electronic  Access  -  controls  which  allow  or  disallow  user  access  to 
electronically  stored  information  such  as  data  files  and  application 
programs. 

A  general  control  review  provides  information  regarding  the  ability 
to  control  EDP  applications  operating  in  the  audited  environment. 
Application  controls  are  specific  to  a  given  application  or  set  of 
programs  that  accomplish  a  specific  objective. 
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Application  controls  consist  of  an  examination  of  the  following 
controls  and  objectives. 

Input  -  Ensure  all  data  is  properly  encoded  to  machine  form  and 
that  all  entered  data  is  approved. 

Processing  -  Ensure  all  data  input  is  processed  as  intended. 

Output  -  All  processed  data  is  reported  and  properly  distributed  to 
authorized  individuals. 

A  review  of  the  application  documentation  and  audit  trail  is  also 
performed.    Applications  must  operate  within  the  general  controls 
environment  in  order  for  any  reliance  to  be  placed  on  them. 


Background  The  Governor's  Office  was  created  upon  acceptance  of  Montana 

into  the  Union  in  1889  and  is  provided  for  in  Article  VI  of  the 
Montana  Constitution.   The  office  has  a  total  of  48  FTE  positions 
budgeted  for  fiscal  year  1996-97,  and  administers  seven  different 
programs.   Our  audit  was  limited  to  one  of  these  programs,  the 
Office  of  Budget  and  Program  Planning  (16.25  FTE).   The  OBPP 
assists  the  governor  in  planning,  preparing,  and  administering  the 
state  budget.   It  develops  and  evaluates  alternative  program  plans 
for  providing  state  government  services,  and  acts  as  the  lead 
executive  branch  agency  for  compliance  with  the  federal  Single 
Audit  Act. 

The  Legislative  Audit  Division  performed  ai  data  processing  survey 
of  all  of  the  state's  computer  applications.   From  that  survey,  we 
rated  the  applications  in  order  of  relative  risk.   Based  on  the  risk 
rating,  we  determined  the  EBS  is  an  application  of  high  risk  due  to 
the  criticality  of  data  contained  on  it,  lack  of  documentation,  and 
other  high-risk  areas.   We  performed  a  preliminary  review  of  the 
Governor's  Office  applications,  and  concluded  from  that  review 
that  the  EBS  application  would  be  a  likely  application  for  an  EDP 
audit.   The  purpose  of  the  current  audit  is  to  determine  the 
adequacy  of  general  and  application  controls  in  place  over  this 
application. 

The  EBS  is  a  combination  mainframe  and  PC-based  application. 
The  OBPP  extracts  specific  expenditure  information  from  the 
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statewide  accounting  and  payroll  systems,  using  mainframe  based 
programs.   The  data  are  then  copied  to  OBPP's  PC-based  network. 
State  agency  personnel  are  able  to  access  the  data  specific  to  their 
agency,  and  use  it  in  preparing  their  up-coming  budget  requests. 
After  changes  have  been  made  and  agreed  upon  by  OBPP,  the 
Legislative  Fiscal  Division,  and  agency  personnel,  the  data  is 
copied  back  to  the  mainframe  for  further  processing. 

OBPP  is  responsible  for  maintenance  and  recovery  for  the  network 
and  relies  on  the  Department  of  Administration  to  provide  recovery 
for  the  mainframe.    Various  functions  on  the  Local  Area  Network 
(LAN)  provide  for  security  over  the  PC  applications  and  files.    For 
instance,  LAN  access  controls  prevent  people  from  outside  the 
OBPP  from  accessing  and  changing  data  they  are  not  authorized  to 
change.   This  prevents  people  from  purposely  or  accidentally 
changing  the  final  budget  information  prior  to  copying  it  to  the 
mainframe.    The  LAN  also  allows  for  backup  of  the  data  and  files. 
In  the  event  of  lost  or  damaged  data  or  hardware  the  information 
can  be  restored  from  the  backups. 

OBPP  is  in  the  process  of  programming  a  new  system  to  replace  all 
budget-related  applications,  including  the  EBS,  the  legislative 
budget  system,  budget  turnaround,  and  the  comptroller 
(monitoring)  function.   The  updated  system  should  increase  the 
efficiency  and  reduce  processing  time  for  the  budget  process. 
Since  the  new  system  is  still  being  developed,  the  office  has  the 
opportunity  to  address  concerns  we  found  with  the  present  system 
to  ensure  they  don't  carry  over  to  the  new  system. 


Audit  Objectives  The  objectives  of  our  audit  of  the  EBS  application  were  to 

determine  if  OBPP  is  properly  protecting  and  maintaining  its 
computer-based  information  resources  through: 

L     Adequate  general  controls,  as  they  relate  to  the  EBS 
application,  including:  procedural,  physical  security,  and 
electronic  access  controls. 

2.     Adequate  application  controls  over  the  EBS  application  in 
order  to  evaluate  the  adequacy  and  accuracy  of  data  processed 
and  maintained  by  the  application. 
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Audit  Scope  and  The  audit  was  conducted  in  accordance  with  government  audit 

Methodology  standards.   We  measured  the  office's  general  and  application 

controls  against  criteria  established  by  the  American  Institute  of 
Certified  Public  Accountants  (AICPA),  General  Accounting  Office 
(GAO),  and  accepted  industry  ED?  guidelines. 

We  reviewed  the  office's  general  controls  related  to  the  mainframe 
and  network  environments  which  process  the  EBS  application.    We 
interviewed  office  personnel  to  gain  an  understanding  of  the 
hardware  and  software  environment  specific  to  the  EBS  at  the 
OBPP.   We  also  reviewed  available  documentation  relevant  to  the 
EBS  application. 

We  conducted  an  application  control  review  of  the  EBS  application, 
as  it  operated  through  April  1996.   We  interviewed  office 
persormel,  reviewed  documentation,  and  performed  sample  testing 
to  determine  if  controls  are  adequate  to  ensure  input,  processing, 
and  output  is  reasonable  and  accurate. 
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Introduction 


General  controls  are  developed  by  the  computer  user  to  protect 
assets  and  limit  losses.    The  overall  objectives  of  our  general 
controls  audit  were  to  determine: 

1 .  The  adequacy  of  overall  general  controls  operating  over  the 
EBS  application. 

2.  The  adequacy  of  electronic  access  controls  over  EBS  system 
libraries,  programs,  files,  and  data. 

3.  The  adequacy  of  standards  for  user  access  to  the  EBS 
application. 

4.  Whether  backup  and  disaster  recovery  procedures  are  estab- 
lished and  reasonable  to  recover  operations  in  the  event  of  a 
disaster. 


Conclusion:  General 
controls  could  be  improved 


In  our  review  of  OBPP's  general  control  environment,  we  found 
procedural  controls  to  be  adequate,  but  noted  areas  where  disaster 
recovery,  electronic  access  controls,  and  system  documentation 
could  be  improved. 


Conclusion:  Application 
controls  adequate  to  ensure 
budget  information  is 
complete  and  accurate 


We  also  performed  an  application  review  of  EBS.   During  our 
review,  we  examined  the  existing  input,  processing,  and  output 
controls.   Overall,  we  concluded  the  controls  over  EBS  are 
adequate  to  ensure  budget  information  is  complete  and  accurate. 
However,  we  found  areas  where  the  controls  could  be  improved  to 
prevent  future  problems  with  the  budget  process.   This  chapter 
summarizes  our  findings  from  our  general  and  application  controls 
review  of  EBS. 


Policies  and  Procedures 


The  office  should  establish  policies  and  procedures  in  accordance 
with  state  law  which  address  safeguarding  data  and  information 
technology  resources  including  microcomputer  policies  and  system 
documentation.   Section  2-15-114,  MCA,  requires  department 
heads  to  be  " .  .  .  responsible  for  assuring  an  adequate  level  of 
security  for  all  data  and  information  technology  resources  within 
his  department  ..." 
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The  law  provides  guidance  regarding  security  which  should  be 
considered  by  agencies  in  establishing  policies  and  procedures. 
Procedures  OBPP  should  establish  could  include,  but  are  not 
limited  to,  the  following: 

1.      Conduct  and  periodically  update  a  comprehensive  risk  analysis 
to  determine  security  threats  to  data  and  information 
resources. 

OBPP  has  not  conducted  an  analysis  to  identify  threats  to 
the  security  of  the  EBS  application.    Identifying  the 
threats  is  the  first  step  in  properly  protecting  the 


2.  Develop  and  periodically  update  written  policies  and  pro- 
cedures which  provide  security  over  data  and  information 
resources.  These  policies  should  address  the  use  of 
passwords,  procedures  for  granting  access,  procedures  for 
removing  terminated  employee  access,  and  provisions  for 
security  and  contingency  planning. 

The  office  has  no  documented  policies  regarding  the  use 
of  office  computers.   These  policies  should  give  office 
personnel  guidelines  on  use  of  the  computer,  such  as 
what  personal  activities  can  or  cannot  be  done  on  the 
computer,  procedures  for  protection  from  computer 
viruses,  the  importance  of  keeping  passwords 
confidential,  and  employee  responsibility  for  backup  of 
files  and  programs.    In  the  absence  of  formal  office 
policies,  employees  may  not  be  aware  of  their  individual 
responsibilities  regarding  computer  usage. 

3.  Implement  appropriate  cost-effective  safeguards  to  reduce, 
eliminate,  or  recover  from  identified  risks  to  data  and 
information  resources. 

As  noted  in  item  1 ,  a  comprehensive  risk  analysis  has 
not  been  performed  by  OBPP.   Until  risks  are  identified, 
adequate  safeguards  may  not  be  in  place  to  mitigate  those 
risks. 

4.  Perform  periodic  internal  reviews  and  evaluations  of  the 
security  program  for  data  and  information  resources. 

The  office  has  no  standards  by  which  to  evaluate  its 
security  program.   Once  risks  are  identified,  and 
safeguards  have  been  put  in  place,  periodic  evaluations 
of  the  security  program  should  be  done. 
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OBPP  personnel  indicated  that  given  the  small  size  of  the  staff, 
formal  computer  policies  are  not  necessary  and  management's  ideas 
on  computer  usage  can  be  communicated  verbally.    However, 
written  policies  and  standards  can  ensure  all  employees  are  made 
aware  of  the  office's  position  on  the  various  issues,  and  provides  a 
means  for  the  office  to  measure  compliance  with  office  policies. 
Internal  evaluations  would  ensure  policies  are  followed,  high  risk 
areas  are  identified,  and  individuals  do  not  have  access  above  what 
is  required  to  perform  their  jobs.   The  evaluations  should  also 
ensure  the  contingency  plan  is  updated  with  current  information, 
and  is  tested  regularly. 


Recommendation  #1 

We  recommend  the  office: 

A.  Perform  a  risk  analysis  to  determine  security  threats 
to  data  and  information  resources. 

B.  Develop  formal  poUcies  and  procedures  outlining  the 
employees'  responsibilities  and  office  standards 
r^arding  computer  usage. 

C.  Perform  periodic  evaluations  of  security  in 
compliance  with  state  law. 


General  Controls 


Contingency  Planning 


Contingency  planning  is  a  basic  element  of  safeguarding  computer 
systems  and  information  resources.    Contingency  planning  involves 
collecting  plans,  procedures,  arrangements,  and  information  which 
are  completed,  compiled,  and  held  in  readiness  for  use  in  the  event 
of  a  disruption  of  normal  activities.    A  contingency  plan  should  be 
comprehensive  and  periodically  tested  to  facilitate  an  adequate 
recovery  process.   The  contingency  plan  should  include 
consideration  of  physical  facilities,  personnel,  operating 
instructions,  supplies  and  forms,  application  programs. 
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documentation,  system  software,  and  data.   It  should  start  with  an 
inventory  of  equipment  and  programs  and  be  regularly  updated  to 
reflect  changes  in  computer  equipment  and  programs.    Through 
interviews  with  office  personnel,  we  determined  the  office  does  not 
have  a  formal  contingency  plan  as  required  by  section  1-0240.00, 
MOM. 


The  office's  use  of  computers  is  critical  to  its  operation.   Loss  of 
computer  use  would  significantly  impact  operations.   Office 
personnel  indicated  they  have  a  plan  for  backup  and  recovery,  but 
believe  because  there  are  only  a  few  DP  staff  members  in  the 
office,  a  formal  written  plan  is  not  necessary.   However,  in  the 
event  of  employee  unavailability  or  turnover  a  documented 
contingency  plan  could  be  critical. 

Data  that  may  need  to  be  recovered  could  be  stored  on  the 
mainframe  or  on  the  LAN.   The  data  loss  could  occur  at  different 
stages  of  the  budget  process.   Therefore,  a  contingency  plan  should 
list  those  people  responsible  for  recovery  of  the  data  on  the 
different  platforms  and  at  the  various  stages.   In  addition,  the  plan 
should  give  detailed  procedures  for  recovery,  location  of  backup 
tapes  and  hardware,  etc.   This  would  be  especially  critical  in  the 
absence  of  knowledgeable  OBPP  staff. 

A  written,  detailed  plan  outlining  recovery  procedures  should  exist 
and  be  tested  to  ensure  feasibility  of  the  plan.   We  recognize 
thorough  contingency  planning  is  an  intensive  and  on-going 
process.    However,  maintaining  an  adequate  contingency  plan  will 
ensure  continued  data  processing  operations  and  the  office's 
compliance  with  section  1-0240.00,  MOM. 


Recommendation  #2 

We  recommend  the  offlce  develop  a  contingency  plan,  in 
compliance  with  section  1-0240.00,  MOM. 
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Access  Controls 


Proper  access  controls  assist  in  the  prevention  or  detection  of 
deliberate  or  accidental  errors  caused  by  improper  use  or 
manipulation  of  data  files,  unauthorized  or  incorrect  use  of  a 
computer  program,  or  improper  use  of  computer  resources. 
Assigning  limited  access  based  on  job  requirements  facilitates 
checks  and  balances  in  the  system.   Also,  passwords  known  only  to 
the  user  prevent  unauthorized  users  from  accessing  confidential 
information.    We  reviewed  mainframe  and  PC  controls  over  the 
EBS  application,  and  noted  the  following  areas  where  access 
controls  could  be  improved. 


Documentation 


Access  to  the  EBS  files  and  programs  is  given  on  an  "as  needed" 
basis.   The  reason  for  the  access,  level  of  access  requested,  and 
authorization  for  the  access  is  not  documented.    As  positions 
change,  or  turnover  occurs,  access  needs  may  change.   In  addition, 
at  different  stages  of  the  budget  process,  different  people  need 
access  to  the  files  and  data.   For  example,  agency  personnel  need 
access  to  only  their  agency  data  during  the  onset  of  the  process. 
OBPP  personnel  then  need  access  to  make  changes  as  negotiated 
with  the  agency  and  the  Legislative  Fiscal  Division  (LFD).   After 
that,  the  OBPP  and  agency  personnel  are  restricted  to  read  access 
only,  and  LFD  personnel  are  given  access  to  make  changes.    In 
order  to  ensure  access  is  proper  and  authorized,  the  people  needing 
access,  level  of  access  required,  and  time  periods  for  the  allowed 
access  should  be  documented. 


ACF2  Report  Review 


ACF2  software  provides  a  daily  report  of  logged  user  access  to 
EBS  programs  and  data  on  the  mainframe.    In  addition,  the  office 
receives  a  violation  report  which  lists  all  unauthorized  users  who 
attempted  to  access  electronic  files.   The  security  officer  should 
review  these  ACF2  reports  to  monitor  who  accesses  which 
program  libraries  and  to  determine  whether  access  is  authorized. 
We  determined  the  security  officer  does  not  review  the  ACF2 
reports,  and  does  not  retain  the  reports  for  future  reference. 
Retention  of  the  reports  would  aid  in  the  internal  security  review, 
as  discussed  previously,  and  provide  a  means  of  reference  should 
problems  be  identified  relating  to  inappropriate  access. 


The  security  officer,  in  order  to  perform  his  duties,  has  unlimited 
access  to  software  and  data  files.   A  security  officer  can  access. 
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change,  or  delete  programs  and  data  without  detection.    An 
individual  outside  of  the  security  and  data  processing  environment, 
preferably  from  a  user  group,  should  review  ACF2  reports  in 
addition  to  the  security  officer.    An  independent  review  provides 
more  effective  access  control  by  reviewing  access  violations, 
programmer  activity,  and  changes  made  by  the  security  officer. 

Without  an  independent  review,  the  potential  exists  for  inappro- 
priate access  and  unauthorized  changes  to  data  and  programs.   The 
office  should  assign  another  person  to  review  the  ACF2  reports,  in 
addition  to  the  security  officer. 


Recommendation  #3 

We  recommend  the  office: 


Establish  policies  for  authorization  and  documenta- 
tion of  access  for  all  personnel  needing  access  to  the 
system. 

Require  review  of  ACF2  reports  by  the  security 
officer  and  another  person  independent  of  the 
security  and  data  processing  function. 


B 

Application  Controls 


System  Documentation 


We  reviewed  the  system  and  user  documentation  in  relation  to  the 
EBS  application.   We  determined  there  is  no  documentation  of  the 
present  system.   Programming  and  methodology  is  known  by  the 
system  programmer  and  assistant  director,  but  in  the  event  of  their 
absence  there  is  no  documentation  to  aid  in  the  operation  and 
maintenance  of  the  system.   Proper  documentation  should  provide: 

1.      An  understanding  of  a  system's  objectives,  concepts,  and 
output; 
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2.  A  source  of  information  for  systems  analysts  and 
programmers  who  are  responsible  for  maintaining  and 
revising  existing  systems  and  programs; 

3.  Information  necessary  for  supervisory  review; 

4.  A  basis  for  training  new  personnel; 

5.  A  means  of  communicating  common  information  to  other 
system  analysts,  programmers,  and  operators; 

6.  A  source  of  information  about  accounting  controls;  and 

7.  A  source  of  information  needed  to  provide  continuity  in  the 
event  of  loss  of  experienced  personnel. 

The  office  is  currently  in  the  process  of  developing  a  new  system, 
so  documentation  of  the  present  system  may  not  be  an  efficient  use 
of  resources.   However,  the  office  should  ensure  the  new  system  is 
completely  documented,  to  aid  in  maintenance  of  the  system  and  to 
ensure  continuity  of  operations  in  the  event  of  employee  turnover. 
Personnel  stated  the  current  system  was  in  place  and  undocumented 
when  they  were  hired  by  OBPP.   As  a  result,  learning  the  system 
was  difficult  and  time-consuming.    Adequate  documentation  for  the 
newly  created  system  could  make  the  transition  for  future  new 
employees  easier  and  more  efficient. 

System  Enhancements  After  a  system  has  been  developed  and  tested,  it  is  critical  that  any 

changes  or  enhancements  to  the  software  be  controlled.   Otherwise, 
unauthorized  changes  could  be  made,  and  potentially  compromise 
the  integrity  of  the  system.    While  substantial  changes  would  likely 
be  detected,  either  by  the  agency,  LFD  or  OBPP  personnel,  the 
credibility  of  the  budget  process  could  be  questioned.   In  addition, 
less  obvious  changes,  such  as  smaller  dollar  amounts,  could  go 
completely  undetected.   The  proposed  new  system  will  be  designed 
so  changes  can  be  made  quickly  and  easily.    This  makes  it  even 
more  critical  to  have  procedures  to  ensure  any  changes  are 
authorized  and  approved. 

The  office  should  develop  policies  for  documentation,  approval, 
and  testing  of  changes.  This  should  be  done  for  the  parts  of  the 
existing  system  that  are  to  be  retained,  as  well  as  all  parts  of  the 
new  system. 
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Recommendation  #4 

We  recommend  the  office: 

A.  Ensure  the  new  budget  system  is  completely 
documented. 

B.  Develop  and  implement  policies  to  ensure  all 
enhancements  and  maintenance  to  the  budget  system 
are  approved,  tested  and  documented. 


System  Edits  System  edits  are  a  tool  to  help  ensure  only  proper  data  is  input  to 

particular  fields.   For  instance,  data  input  can  be  limited  to 
numeric  only,  alpha  only,  date  only,  etc.,  which  would  prevent 
erroneous  information  from  being  input  to  the  field.   In  addition, 
input  ranges  can  be  set  to  prevent  input  of  information  beyond 
prescribed  limits.    Finally,  fields  can  be  write  protected  to  ensure 
only  authorized  individuals  make  changes  to  the  fields.   In  our 
review  of  the  present  system,  we  found  system  edits  are  very 
limited. 

Office  personnel  indicated  some  edits  are  in  place  on  the 
mainframe,  to  ensure  validity  of  the  information  as  it  is  copied 
from  the  PC  environment  to  the  mainframe.    However,  the  PC 
input  forms,  where  much  of  the  budget  process  is  done,  do  not 
have  validity  edits. 

With  the  proposed  new  system,  the  office  has  the  opportunity  to 
design  validity  edits  into  the  input  screens.   If  proper  edits  were  in 
place,  many  input  errors  could  be  averted  at  the  point  of  input,  and 
reduce  the  time  for  correction  of  errors  at  a  later  time.    Many 
different  people  input  to  the  screens,  including  personnel  from 
outside  agencies.   The  office  should  determine  what  fields  on  the 
input  screens  can  be  protected  through  edits,  and  ensure  the  edits 
are  included  in  the  design  of  the  new  system. 
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Recommendation  ffS 

We  recommend  the  ofTice  include  appropriate  system  edits 
in  the  design  of  the  new  system. 


Conclusion  We  determined  OBPP  properly  protects  and  calculates  budget 

information.   We  believe  the  application  meets  its  established 
objectives  of  assisting  the  OBPP  in  planning,  preparing,  and 
administering  the  state  budget.   However,  we  noted  areas  where 
the  office  could  improve  its  controls  over  the  EBS.    Establishing 
policies  and  procedures  for  access,  computer  use,  contingency 
planning,  and  data  input,  among  other  things,  could  help  ensure 
continuity  of  operations,  accuracy  of  information  on  the  system, 
and  more  efficient  use  of  office  resources. 
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Office  of  the  Governor 
Budget  and  Program  Planning 

State  of  Montana 


Marc  Racicot 
Governor 


May  28,  1996 


PO    Box    200802 

Helena,   Montana 59620 -O802 
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LEGISLATIVE  AUDITOR 


Mr.  Ken  Erdahl,  Senior  EDP  Auditor 
Legislative  Audit  Division 
Montana  Legislative  Branch 
Rm  135,  State  Capitol 
Helena,  MT  59620 

Dear  Mr.  Erdahl: 

Please  find  enclosed  my  responses  to  your  recommendations  fi'om  the  recent  audit  of  the 
Executive  Budget  System  (EBS).  You  will  note  that  I  agree  with  your  recommendations  as  they 
apply  to  the  new  budget  system  under  development  with  the  Legislative  Finance  Division. 

I  have  taken  exception,  however,  with  the  some  of  your  implications  regarding  the  controls  on  the 
current  EBS.  I  must  admit,  I  probably  dwelled  on  the  current  system  too  much,  since  it  only  has 
about  two  months  of  life  left. 

Thank  you  for  the  opportunity  to  respond. 


Sincerely, 


Steve  Bender 

Assistant  Budget  Director 
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TELEPHONE:  (406)  444-3616  FAX:  (406)  444-5529 


OBPP  Responses  to  EBS  Audit 
General  Comment: 

The  OBPP  is  pleased  with  your  conclusion  that: 

"We  determined  OBPP  properly  protects  and  calculates  budget  information.  We  believe  the 
application  meets  the  established  objectives  of  assisting  the  OBPP  in  planning,  preparing,  and 
administering  the  state  budget." 

Further,  we  concur  with  many  of  the  concerns  you  raise  regarding  the  joint  budget  system 
currently  under  development  with  the  Legislative  Finance  Division.  The  creation  of  a  new  budget 
system  allows  us  to  address  many  of  the  shortcomings  of  the  current  EBS  using  modem  tools.  In 
addition,  we  agree  that  the  creation  of  a  shared,  enterprise- wide  system  raises  many  goverance 
questions  that  must  be  resolved.  We  are  fully  aware  that  significant  work  will  be  necessary  in  the 
areas  raised  in  your  audit  and  in  others  for  our  efforts  to  be  truly  successful  and  long  lived.  In  this 
regard,  your  thoughts  are  appreciated  and  will  be  acted  upon. 

Nevertheless,  you  asked  for  my  responses  to  the  specific  recommendations. 

Recommendation  #1 

A.        Perform  a  risk  analysis  to  determine  security  threats  to  data  and  information 

resources. 
C.        Perform  periodic  evaluations  of  security  in  compliance  with  state  law. 

Response: 

The  OBPP  believes  it  has  conducted  the  "risk  analysis"  contemplated  in  the  finding  and  these  risks 
are  fully  understood  be  the  two  people  responsible  for  the  EBS  system.  But,  we  acknowledge  we 
have  no  written  analysis. 

The  EBS,  both  on  the  LAN  and  the  mainframe,  is  secure.  Unauthorized  access  to  the  data  and 
source  code  is  prohibited  by  the  security  measures  included  in  Novell  and  ACF2.  Further,  the  PC 
version  of  the  EBS  source  code  is  password  protected,  thereby  preventing  unauthorized  changes. 
Even  if  agencies  were  able  to  change  the  source  code  in  their  copy  of  the  distributed  EBS 
software,  such  changes  would  be  caught  and  corrected  by  OBPP  in  the  update  process.  Agencies 
have  no  access  rights  to  the  "official"  budget  data  or  system. 

Cost  effective  safeguards  to  eliminate  risks  are  in  place.  As  noted  above,  the  software  and  data  is 
secure.  The  system  and  its  redundant  data  are  fully  backed-up  in  compHance  with  the  state's 
disaster  recovery  plan.  Access  to  the  source  code  is  very  restricted  to  prevent  unauthorized 
changes.  Operating  procedures  further  restrict  access  to  EBS  data  by  non-OBPP  personnel. 
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Sufficient  security  reviews  have  been  conducted  to  convince  OBPP  that  the  state  standard 
software  and  our  use  of  its  features  provide  the  necessary  safeguards.  Internal  operating 
procedures  reinforce  these  safeguards. 

Looking  forward,  we  agree  this  becomes  of  major  issue  for  the  new  enterprise- wide  budget 
system  currently  under  development.  The  contractor  is  aware  that  security  is  a  major  concern  in 
the  new  environment,  which  requires  far  greater  measures  than  are  currently  necessary.  Detailed 
security  rules  are  possible  in  ORACLE  and  we  agree  that  significant  work  is  necessary  to  design 
and  test  the  necessary  security  measures. 

B.         Develop  formal  policies  and  procedures  outlining  the  employees'  responsibilities  and 
ofTice  standards  regarding  computer  usage. 

Response: 

The  OBPP  acknowledges  it  has  been  lax  in  this  area.  Standards  have  been  communicated 
verbally,  but  more  formal  written  standards  would  strengthen  the  standards  within  the  Governor's 
Office. 

We  will  develop  written  policies  and  standards  by  September  1 . 


Recommendation  #  2 

We  recommend  the  office  develop  a  contingency  plan,  in  compliance  with  1-0240.00, 
MOM. 

Response: 

The  OBPP  acknowledges  that  it  has  not  developed  a  formal,  written  contingency  plan.  But,  we 
are  convinced  that  we  will  be  able  to  respond  to  any  reasonable  contingency  as  rapidly,  or  more 
rapidly,  than  any  other  agency  given  the  redundancies  in  the  current  EBS  and  its  back-ups. 

We  realize  our  current  redundancies  will  no  longer  exist  under  the  new  budget  system  with  its 
centralized  "enterprise"  concept.  The  OBPP  and  LFD,  therefore,  must  work  with  the  Department 
of  Administration  (DoA)  to  develop  a  risk  assessment  and  contingency  plan  to  ensure  we  can 
respond.  Such  planning  will  be  necessary  for  all  of  the  applications  that  will  be  run  on  DoA's  new 
mid-tier  computer.  The  OBPP  and  the  LFD  will  insist  these  services  are  provided  as  part  of  their 
contract  with  DoA. 

Recommendation  #3 

A.         Establish  policies  for  the  authorization  and  documentation  of  access  for  all 
personnel  needing  access  to  the  system. 
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B.         Require  review  of  ACF2  reports  by  the  security  officer  and  another  person 
independent  of  the  security  and  data  processing  function. 

The  OBPP  maintains  sufficient  access  control.  Each  of  the  items  noted  in  the  "Access  Controls" 
section  is  currently  being  done. 

Further,  we  believe  we  have  adequate  access  policies  and  their  documentation  is  unnecessary  for 
the  current  EBS.  "Write"  access  to  BBS  data  files  is  given  only  during  the  agency  budget  request 
phase  of  the  budget  cycle,  with  no  access  given  after  this  stage  of  the  process  is  complete.  The 
LFD  has  been  provided  "read"  access  to  OBPP  budget  data  per  their  request  in  order  to  allow 
them  to  efficiently  complete  their  work.  Conversely,  the  LFD  provides  the  OBPP  "read"  access 
to  their  files  for  legislative  monitoring.  At  no  point  can  either  office  directly  change  to  other's 
data  files. 

Only  two  people  are  allowed  access  to  the  EBS  source  code  and  there  is  no  need  to  increase 
access.  Any  need  to  change  the  code  is  understood  between  these  two  people. 

Given  the  very  limited  mainfi-ame  access  to  the  EBS,  ACF2  reports  are  not  interesting  reading. 
Only  two  accounts  have  access.  Nevertheless,  printed  ACF2  reports  are  received  and  retained  for 
reference  purposes. 

We  acknowledge  these  issues  v^dll  need  to  be  addressed  in  the  design  of  the  new  budget  system. 
The  contractor  is  fially  aware  of  the  complex  access  rules.  Nevertheless,  detailed  administrative 
procedures  regarding  the  governance  of  the  new  system  still  must  be  resolved.  Written 
procedures  vAU  be  necessary  to  communicate  and  preserve  these  agreements,  and  will  be 
developed. 

Recommendation  #4 

A.  Ensure  the  new  budget  system  is  completely  documented. 

B.  Develop  and  implement  policies  to  ensure  all  enhancements  and  maintenance  to  the 
budget  system  are  approved,  tested  and  documented. 

We  agree  documentation  is  necessary  and  will  take  steps  to  ensure  the  new  system  is  adequately 
documented.     We  fiarther  agree  that  procedures  for  the  authorization  of  system  changes  must  be 
resolved  and  understood  by  all  parties.  The  OBPP  and  the  LFD  will  cooperatively  ensure  that  the 
items  noted  in  this  recommendation  are  adequately  addressed. 
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